[syslog-ng] Adding new fields to existing logs
Allen Olivas
allen.olivas at infodefense.com
Tue Oct 8 23:04:03 UTC 2019
Hello,
I need to add some new fields to an existing log before it gets sent to its destination. I'm trying to decode these logs with Wazuh and will need some unique fields in the beginning of the message so I can successfully prematch my decoder.
I was looking through previous cases and saw the comments on Regular Expressions in rewrite. After studying those posts to this mailing list (https://lists.balabit.hu/pipermail/syslog-ng/2019-August/025392.html) and reviewing the documentation I'm pretty sure this can be done, just not sure how to start, to use a macro or no macro, template or no template.
Here are the specifics:
Raw log file snippet: "Oct 1 13:48:01 SOME-DEVICE-HOSTNAME Core: Last message...."
I would like to add something like "Ruckus VirtualSmartZone" to the log before SOME-DEVICE-HOSTNAME. So the new log entry that goes to the destination looks like
"Oct 1 13:48:01 Ruckus VirtualSmartZone SOME-DEVICE-HOSTNAME Core: Last message..."
Do I need to write a filter (with regex) to screen for the time stamp and hostname, then rewrite it to add that entry "Ruckus VirtualSmartZone"?
Or if not how best to approach this?
Thanks,
Allen Olivas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20191008/a8b68b9f/attachment.html>
More information about the syslog-ng
mailing list